Malaysia: Bank Negara Malaysia issues Policy Document on Merchant Acquiring Services

In brief

Following the issuance of the Exposure Draft of Merchant Acquiring Services Policy Document on 17 July 2020 ("MAS Exposure Draft") (click here for our client alert on the MAS Exposure Draft), Bank Negara Malaysia (BNM) has now issued the final Policy Document on Merchant Acquiring Services on 15 September 2021 ("MAS Policy Document").

The MAS Policy Document focuses on risk management and applies to Qualified Acquirers (defined below). Requirements in relation to minimum capital, governance, operations (e.g., merchant management and outsourcing), information technology and reporting obligations have been introduced. These measures are designed to enhance BNM's supervision and regulation of Qualified Acquirers.


Key Takeaways

  1. The MAS Policy Document only applies to a person registered with BNM to provide merchant acquiring services (including an e-money issuer that conducts merchant acquiring services for its own e-money scheme) and fulfils the following criteria ("Qualified Acquirers"):
    1. enters into a contract with merchant(s), which results in a transfer of funds to the merchant(s) by: (i) conducting or being responsible for fund settlement; or (ii) issuing fund settlement instructions;
    2. facilitates the merchant's acceptance of payment instruments; and
    3. is a direct participant of payment instrument network(s) to provide merchant acquiring services.
  2. The key changes in the MAS Policy Document from the MAS Exposure Draft include the following:
    1. removal of specific fit and proper criteria for key responsible persons of Qualified Acquirers (although Qualified Acquirers must still establish a robust governance framework for its board of directors and senior management) and the shareholder sustainability requirements;
    2. removal of the requirement to ensure that there is no exclusivity in the use of payment terminals / devices to support only a specific payment network or instrument; and
    3. enhancements to the requirements on business continuity management and outsourcing.
  3. The MAS Policy Document will have a material impact on Qualified Acquirers, as they:
    1. will need to implement or materially enhance among others, their existing governance policies, risk management framework, merchant acquisition and monitoring system, settlement system, outsourcing procedures / arrangements, business continuity management and IT systems; and
    2. will be exposed to increased liabilities to provide funds settlement to merchants if the issuer, payment facilitator, or any other parties involved in the handling of the settlement funds fail to fulfil its settlement obligations.
  4. Other participants in the payment industry and persons who deal with Qualified Acquirers (including outsourced parties) will also be affected, as these obligations will likely be passed on by the Qualified Acquirers to these third parties.
  5. The MAS Policy Document will come into effect on 15 March 2022, except in respect of non-bank Qualified Acquirers, the information technology requirements will come into effect on 15 September 2022 and the minimum capital requirements will come into effect on 15 September 2023. Given the scale and materiality of the requirements, Qualified Acquirers should immediately conduct a gap analysis on their existing systems and arrangements and implement steps to comply with the MAS Policy Document.

In more detail

Some of the key requirements and standards are set out below.



Key Requirements and Standards


Minimum Capital Requirements for Non-Bank Qualified Acquirers

  • RM 1 million for large non-bank Qualified Acquirers (i.e., Qualified Acquirers with an actual or projected amount of average monthly transaction value of more than RM 10 million).
  • RM 300,000 for small non-bank Qualified Acquirers.

Settlement Risk Management

  • Merchant settlement funds must be deposited into a dedicated account with a licensed bank or prescribed institution.
  • Where settlement to small and medium enterprise (SME) merchants takes more than two (2) working days upon receipt of funds from payment instrument network, either: (a) place the settlement funds in a trust account; (b) adopt direct settlement method to merchants; or (c) secure a bank guarantee on outstanding settlement fund.
  • Qualified Acquirers must settle the funds to merchants if the issuer, payment facilitator or any other parties involved in the handling of the settlement funds fail to fulfil its settlement obligations.

Dealings with Merchants and Other Parties Who May Expose Merchants to Payment and/or Settlement Risks ("Payment Parties")

  • Conduct due diligence when onboarding merchants.
  • Ensure that Payment Parties have adequate operational and risk management policies and procedures in place.
  • Effectively monitor the activities of merchants and Payment Parties.
  • Establish rules and procedures on liability management, chargeback and dispute resolution.
  • Ensure that withholding of funds from the merchants is fair and not detrimental to the merchants.

Outsourcing Arrangements

  • Enhanced corporate governance, administrative, legal and operational requirements on outsourcing arrangements (e.g., due diligence, board approval, specific terms on outsourcing agreements).
  • Outsourcing agreements with IT related third party service provider must contain arrangements for disaster recovery and backup capability, IT system availability and oblige the service provider to provide sufficient notice before undertaking changes that may impact IT systems and to facilitate updates to BNM on cyber-incidents.

Business Continuity Management

  • Ensure adequate resources and capacity to deliver consistently reliable and secure services.
  • Undertake structured risk assessment and develop effective business continuity plan and disaster recovery plan.

Information Technology Requirements

  • Establish Technology Risk Management Framework, Cyber Resilience Framework, control procedures for data centre operations, comprehensive cyber crisis management policies and procedures, technology audit plan and other policies and procedures.
  • Ensure network services supporting IT systems are designed and implemented to ensure confidentiality, integrity and availability of data
  • Implement access control policy for identification, authentication and authorization of users.
  • Provide adequate and regular technology and cybersecurity awareness education to all staff.


LOGO Malaysia_Wong & Partners_KualaLumpur

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. 

Contact Information

Copyright © 2023 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.